BlackOasis APT distributes FInSpy using zero-day exploit

Delaware, USA – October 17, 2017 – According to researchers from Kaspersky Lab, BlackOasis APT uses a new vulnerability in Adobe Flash (CVE-2017-11292) to deliver FinSpy spyware. Adobe has already released the patch for this vulnerability. Exploiting of CVE-2017-11292 allows adversaries to execute code on assets running most operating systems. Hackers from BlackOasis APT group are known for attacks against the Netherlands, Great Britain, Russia, Saudi Arabia and a number of other countries; they mainly use spear phishing for infecting their victims. The malicious email contains MS Office document with an embedded ActiveX object. After executing, ActionScript unpacks the SWF exploit, which downloads and executes the lure document and second stage shellcode from C&C server. The downloaded document serves to distract the victim’s attention.

FinSpy malware, also known as FinFisher or WIngBird, has a wide range of spying capabilities on its victims’ systems. BlackOasis APT has used five zero-day vulnerabilities in attacks over the past two years, and after patch for CVE-2017-11292 vulnerability was released, they can seek new opportunities for delivering cyberespionage tools. To secure your organization against such attacks, it is necessary to monitor network activity and use IP whitelisting if possible. Also, you can empower your Security Operations Center with analytical content from Use Case Cloud. With the specialized use cases, your SIEM tool will be able to detect suspicious activity in a timely manner and notify administrators about most critical incidents that require investigation.